PHP Security Courses Validation and Input Filtering (Part 1)

We need to keep in mind that all input strings (text value) that are displayed as numerous values are still only strings. PHP has the ability to work with different types of data with dynamic changes. So, if you declare a variable string containing the value of “23”, we can aggregate it with any number.

For example:

$num= "23"  // differs from $ number = 23;
$new_num = $num + 3; // 26

This code is by no means a security risk, but only a feature of PHP. Good developers always have to keep in mind what types of data they are doing. This is one of the basics for proper validation of inputs, so let’s move on.

Validation of Numerous Values

Validating a number of values is very simple and allows us to work with the correct data and to greatly increase the security of our PHP application. Specifically, if we have a web page that outputs product information based on the command URL or the given parameter ID and if we did not verify that it is actually a numeric value (in the majority of cases it is), the attacker can easily cause errors in the work applications, and even SQL injection, or change the query itself to “take” product information and thus jeopardize the security of the application.

An example of such a code might look like this:

//';DELETE FROM products;--
$id = $_GET['id'];
$sql = "SELECT * FROM products WHERE id= '$id'";

It is clear that instead of one, making two queries and a $sql variable would look like this:

SELECT * FROM products WHERE id = '15'; DELETE FROM products; --'

Validating this input or parameter ID would be simple. You just need to make sure that an input parameter is a real number, and in other cases, we show a mistake or a non-existent side. For this purpose, we can use the is_numeric () function.

if(!is_numeric($_GET['id'])) {
    // show 404 page

However, a better way is casting data or changing a type. In this way, we definitely make sure that we are working with the right type of data.

$id = (int) $_GET['id']
if($id == 0) {
    // show 404 page

The following code is also a “best practice” example in these cases:

//';DELETE FROM products;--
// First we check whether the parameter is mandatory at all
if(empty($_GET['id'])) {
    // show 404
// casting
$id = (int) $_GET['id']; // 15
// Optimization: We prevent unnecessary query
if($id <= 0) {
   // show 404
// Now the query is safe
$sql = "SELECT * FROM proizvodi WHERE id= '$id'";

Note: mysql_query () does not allow multiple queries at one time, but drivers for PostgreSQL and SQLite support them.

Tip: Database operations are the most expensive in terms of time and memory, so if we do not have to have a query, we do not even have to. This example excels well that we do not need to query if $id is smaller or equal to zero, because in our database we probably will not have a product with that ID.

Validation of Textual Inputs

While filtering the numbers is relatively easy, filtering text inputs is a bit more complicated. For some simpler input formats, such as zip code, phone, email address, we can use existing PHP functions. But, before being explained in detail, the following example highlights the importance of filtering the input.

If we had a simple contact form that the user fills in with their personal information, email address, and comment, a simple script that would execute this contact form and sent the information to our email address might look like this:

// form data
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
// Heder to print the sender to the mail client
$heder = "From: $name <$email> \n\r";
// send email to our address
mail('', $message , $heder);

This script will certainly work as expected, but only if we believe the user will actually enter the correct data. Since we cannot believe it, the attacker can easily use this script to send SPAM messages from our server.

Just enter your name or email address instead of something like this:> \n\r To: <> \n\r Bcc: <

It is clear that the $email value will be copied directly to the $header, and the message will be sent to as many addresses as the attacker wants. The importance of protection, in this case, is very high, you certainly would not want to send spam messages from our servers, which may be labeled as malicious and end up in a “blacklist“.

Once again, the solution to this and many other problems is filtering inputs. So let’s go:

Ctype functions

Character type functions have great features while also having excellent performance. These functions test each character and the result will be TRUE only if each character satisfies the set criterion. Otherwise, if the character is of an unauthorized type, the result will be FALSE.

Function Description

  • ctype_alnum Checks letters and numbers
  • ctype_alpha Checks character letters
  • ctype_digit Checks many characters
  • ctype_lower Check small letters
  • ctype_upper Check capital letters

Filter Function

Filter functions have two options – to validate according to the set criteria or to sanitize it if it does not meet the criteria. Certainly, only validation is recommended, but the correction has its wide application.

filter_var($var, $filter);

The first attribute is the value to be verified and the other is the criterion for the verification, and the following table represents the most commonly used criterion:

Filter Description

  • FILTER_VALIDATE_EMAIL Check email addresses
  • FILTER_VALIDATE_INT Prove Numerous Values with min_range and max_range options
  • FILTER_VALIDATE_IP Check IP addresses
  • FILTER_VALIDATE_URL Check the correct URL address

The following example shows the valid validation of the email address. Also, it is a solution for an earlier example that has enabled sending massive SPAM messages:

$email = $_POST['email'];
if(filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // is now safe to send mail

Regular Expressions (Regular Expression, Regex)

Regular expressions are a set of rules that are executed over certain data in order to identify characters and/or character sets in a text object. Regular expressions are used by all programming languages, have relatively good performance and wide applicability.

The following table shows the frequently used PHP functions that use regular expressions:

Function Description

  • preg_match           Performs a regex data verifier
  • preg_match_all     Search data based on regex and sets results in a string, based on the rules set
  • preg_replace         Search data based on regex and hits replaced with other data

    Since regular expressions and their functioning are not the topics of this post, only the most widely used terms in the data verification will be shown:

// an expression for checking email address
$regex = '/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}$/';
if(preg_match($regex, $email)) {
    // valid email address

The following table gives frequently used and few interesting regular expressions:

Term Description

  • / ^ [a-z] * $ /                                           All lowercase letters in the range from letters a to z
  • / ^ [a-zA-Z0-9] * $ /                              Letters and numerals (lowercase and upper case letters)
  • / ^ [a-fA-F0-9] {32} $ /                         Format md5 hash value
  • / ^ (5 [1-5] [0-9] {14}) * $ /                   Master Card format
  • / * (4 [0-9] {12} (?: [0-9] {3})?) * $ /    Visa Credit Card Format

So far, we have talked about validation and filtering of inputs. In the next post, you can expect texts on XSS (Cross Site Scripting) and SQL injection.

4 0

Leave a Reply

Your email address will not be published. Required fields are marked *